ArcSight SmartConnectors

Software Version: 8.4.3

Configuration Guide for Microsoft DNS Trace

Log Multiple Server File SmartConnector

Document Release Date: October 2023

Software Release Date: October 2023
Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector

Legal Notices
Open Text Corporation
275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Copyright Notice
Copyright 2023 Open Text.
The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be
set forth in the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or
omissions contained herein. The information contained herein is subject to change without notice.

Trademark Notices
“OpenText” and other Open Text trademarks and service marks are the property of Open Text or its affiliates. All other
trademarks or service marks are the property of their respective owners.

Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.microfocus.com/support-and-services/documentation

OpenText SmartConnectors (8.4.3) Page 2 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector

Contents
Configuration Guide for Microsoft DNS Trace Log Multiple Server File
SmartConnector 4

Product Overview 5

Configuration 6
Using Server Debug Logging Options 6

Install the SmartConnector 9

Prepare to Install Connector 9
Install Core Software 9
Set Global Parameters (optional) 10
Select Connector and Add Parameter Information 11
Select a Destination 12
Complete Installation and Configuration 12

Run the SmartConnector 13

Device Event Mapping to ArcSight Fields 14

Microsoft DNS Trace Log Multiple Server File Mappings to ArcSight ESM Fields 14

Send Documentation Feedback 16

OpenText SmartConnectors (8.4.3) Page 3 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector

Configuration Guide for Microsoft DNS

Trace Log Multiple Server File
SmartConnector
This guide provides information for installing the SmartConnector for Microsoft DNS
Trace Log Multiple Server File and configuring the device for event collection. For
supported devices and versions, see Technical Requirements.

Intended Audience
This guide provides information for IT administrators who are responsible for managing
the ArcSight software and its environment.

Additional Documentation
The ArcSight SmartConnector documentation library includes the following resources:
l Technical Requirements Guide for SmartConnector, which provides information about
operating system, appliance, browser, and other support details for SmartConnector.
l Installation and User Guide for SmartConnectors, which provides detailed information
about installing SmartConnectors.
l Configuration Guides for ArcSight SmartConnectors, which provides information
about configuring SmartConnectors to collect events from different sources.
l Configuration Guide for SmartConnector Load Balancer, which provides detailed
information about installing Load Balancer.
For the most recent version of this guide and other ArcSight SmartConnector
documentation resources, visit the documentation site for ArcSight SmartConnectors 8.4.

Contact Information
We want to hear your comments and suggestions about this book and the other
documentation included with this product. You can use the comment on this topic link at
the bottom of each page of the online documentation, or send an email to MFI-
[email protected].
For specific product issues, contact Open Text Support for Micro Focus products.

OpenText SmartConnectors (8.4.3) Page 4 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Product Overview

Product Overview
The Domain Name System (DNS) is a hierarchical distributed database and an associated
set of protocols that define a:
l Mechanism for querying and updating the database
l Mechanism for replicating the information in the database among servers
l Schema of the database
With DNS, the host names reside in a database that can be distributed among multiple
servers, decreasing the load on any one server and providing the ability to administer this
naming system on a per-partition basis. DNS supports hierarchical names and allows
registration of various data types in addition to host name to IP address mapping used in
HOSTS files.
This ArcSight SmartConnector lets you import events generated by the Microsoft DNS
Trace Log Multiple Server File device into the ArcSight System. See the section "Device
Event Mapping to ArcSight Data Fields" later in this document for the specific events
mapped to fields in the ArcSight database.

OpenText SmartConnectors (8.4.3) Page 5 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Configuration

Configuration
Detailed information regarding DNS Monitoring can be found at:
http://technet.microsoft.com/en-us/library/cc783975(WS.10).aspx.
The primary tool used to manage DNS servers is the DNS console, which can be found in
the Administrative Tools folder in the Start menu's Programs folder.
DNS server event messages are separated and kept in their own system event log, the
DNS server log. The DNS server log contains events logged by the DNS server service.
Most critical DNS server service events are logged here, such as when the server starts
but cannot locate initializing data.
You can change the event types logged by DNS servers using the DNS console. You also
can use the DNS console to selectively enable additional debug logging options for
temporary trace logging to a text-based file of DNS server activity.

Using Server Debug Logging Options

By default, all debug logging options are disabled. When selectively enabled, the DNS
Server service can perform additional trace-level logging of selected types of events or
messages for general troubleshooting and debugging of the server. Dns.log contains
debug logging activity. By default, it is located in the windir\System32\Dns folder.
The following DNS debug logging options are available:
Packet Direction
Outgoing
Packets sent by the DNS server are logged in the DNS server log file.
Incoming
Packets received by the DNS server are logged in the log file.
Packet Content
Queries/Transfers
Specifies that packets containing standard queries (per RFC 1034) are logged in the DNS
server log file.

OpenText SmartConnectors (8.4.3) Page 6 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Configuration

Updates
Specifies that packets containing dynamic updates (per RFC 2136) are logged in the DNS
server log file.
Notifications
Specifies that packets containing notifications (per RFC 1996) are logged in the DNS server
log file.
Transport Protocol
UDP
Specifies that packets sent and received over UDP are logged in the DNS server log file.
TCP
Specifies that packets sent and received over TCP are logged in the DNS server log file.
Packet Type
Request
Specifies that request packets are logged in the DNS server log file (a request packet is
characterized by a QR bit set to 0 in the DNS message header).
Response
Specifies that response packets are logged in the DNS server log file (a response packet is
characterized by a QR bit set to 1 in the DNS message header).
Other Options
Filter packets by IP address
Provides additional filtering of packets logged in the DNS server log file.
Details
Specifies that all event details be logged in the DNS server log file.
Log File
File path and name lets you specify the name and location of the DNS server log file.
Log file maximum size limit lets you set the maximum file size for the DNS server log file.
To select and enable debug logging options on the DNS server:
1 Open DNS. (Click Start -> Control Panel -> Administrative Tools. Double-click DNS.)
2 In the console tree, right-click the applicable DNS server, then click Properties.
3 Click the Debug Logging tab.

OpenText SmartConnectors (8.4.3) Page 7 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Configuration

4 To set the debug logging options, first select Log packets for debugging. To ensure
collecting the appropriate information for processing by ArcSight, select the options
shown in the following figure.

In addition to selecting events for the DNS debug log file, select the default values or
specify the file name, location, and maximum file size for the file.

OpenText SmartConnectors (8.4.3) Page 8 of 16

Install the SmartConnector
The following sections provide instructions for installing and configuring your selected
SmartConnector.

Connector Appliance/ArcSight Management Center supports mounting for Network File System
(NFS) and CIFS (Windows) shares. When you install this connector on one of these devices,
establish a CIFS mount on the device before adding the connector. Provide this share name
during connector configuration. For more information, see Remote File Systems in the
Connector Appliance or ArcSight Management Center Administrator's Guide.

Prepare to Install Connector

Before you install any SmartConnectors, make sure that the ArcSight products with which the
connectors will communicate have already been installed correctly (such as ArcSight ESM or
ArcSight Logger).
For complete product information, read the Administrator's Guide as well as the Installation
and Configuration guide for your ArcSight product before installing a new SmartConnector. If
you are adding a connector to the ArcSight Management Center, see the ArcSight Management
Center Administrator's Guide for instructions, and start the installation procedure at "Set Global
Parameters (optional)" or "Select Connector and Add Parameter Information."
Before installing the SmartConnector, be sure the following are available:
l Local access to the machine where the SmartConnector is to be installed
l Administrator passwords

Install Core Software

Unless specified otherwise at the beginning of this guide, this SmartConnector can be installed
on all ArcSight supported platforms; for the complete list, see the SmartConnector Product and
Platform Support document, available from the OpenText SSO site.
1 Download the SmartConnector executable for your operating system from the OpenText SSO
site.
2 Start the SmartConnector installation and configuration wizard by running the executable.
Follow the wizard through the following folder selection tasks and installation of the core
connector software:
Introduction
Choose Install Folder

Install the SmartConnector Page 9 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Install the SmartConnector

Choose Shortcut Folder

Pre-Installation Summary
Installing...
3 When the installation of SmartConnector core component software is finished, the following
window is displayed:

Set Global Parameters (optional)

If you choose to perform any of the operations shown in the following table, do so before
adding your connector. You can set the following parameters:

Parameter Setting

FIPS mode Select 'Enabled' to enable FIPS compliant mode. To enable FIPS Suite B Mode, see the
SmartConnector User Guide under "Modifying Connector Parameters" for instructions.
Initially, this value is set to 'Disabled'.

Remote Select 'Enabled' to enable remote management from ArcSight Management Center. When
Management queried by the remote management device, the values you specify here for enabling
remote management and the port number will be used. Initially, this value is set to
'Disabled'.

Remote The remote management device will listen to the port specified in this field. The default
Management port number is 9001.
Listener Port

Preferred IP Version When both IPv4 and IPv6 IP addresses are available for the local host (the machine on
which the connector is installed), you can choose which version is preferred. Otherwise, you
will see only one selection. The initial setting is IPv4.

The following parameters should be configured only if you are using OpenText SecureData
solutions to provide encryption. See the OpenText SecureData Architecture Guide for more
information.

Parameter Setting

Format Preserving Data leaving the connector machine to a specified destination can be encrypted by
Encryption selecting ‘Enabled’ to encrypt the fields identified in ‘Event Fields to Encrypt' before
forwarding events. If encryption is enabled, it cannot be disabled. Changing any of the
encryption parameters again will require a fresh installation of the connector.

Format Preserving Enter the URL where the OpenText SecureData Server is installed.
Policy URL

Proxy Server (https) Enter the proxy host for https connection if any proxy is enabled for this machine.

Proxy Port Enter the proxy port for https connection if any proxy is enabled for this machine.

OpenText SmartConnectors 8.4.3 Page 10 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Install the SmartConnector

Parameter Setting

Format Preserving The OpenText SecureData client software allows client applications to protect and access
Identity data based on key names. This key name is referred to as the identity. Enter the user
identity configured for OpenText SecureData.

Format Preserving Enter the secret configured for OpenText SecureData to use for encryption.
Secret

Event Fields to Recommended fields for encryption are listed; delete any fields you do not want encrypted
Encrypt and add any string or numeric fields you want encrypted. Encrypting more fields can affect
performance, with 20 fields being the maximum recommended. Also, because encryption
changes the value, rules or categorization could also be affected. Once encryption is
enabled, the list of event fields cannot be edited.

After making your selections, click Next. A summary screen is displayed. Review the summary
of your selections and click Next. Click Continue to return to proceed with "Add a Connector"
window. Continue the installation procedure with "Select Connector and Add Parameter
Information."

Select Connector and Add Parameter Information

1 Select Add a Connector and click Next. If applicable, you can enable FIPS mode and enable
remote management later in the wizard after SmartConnector configuration.
2 Select Microsoft DNS Trace Log Multiple Server File and click Next.
3 Enter the required SmartConnector parameters to configure the SmartConnector, then click
Next.

Parameter Description

Folder The absolute path to the location of the log files.

- For Windows platform, use: 'c:\Program Files\DNS_Multi_File\logs\'

- For Linux platform, use: '/var/log/dnsmultifile/'

For multiple servers, click Add and enter information about the additional server.

- For Windows platform, use: \\<servername>\folder\folder.

Wildcard The log file name ('*.log') has two parts:

- Part 1: ('*') is the file name

- Part 2: ('.log') is the file type

- For example: 'dnsmulti.log'

Log File Type Accept the default "tracelog".

OpenText SmartConnectors 8.4.3 Page 11 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Install the SmartConnector

Select a Destination
1 The next window asks for the destination type; select a destination and click Next. For
information about the destinations listed, see the ArcSight SmartConnector User Guide.
2 Enter values for the destination. For the ArcSight Manager destination, the values you enter
for User and Password should be the same ArcSight user name and password you created
during the ArcSight Manager installation. Click Next.
3 Enter a name for the SmartConnector and provide other information identifying the
connector's use in your environment. Click Next. The connector starts the registration process.
4 If you have selected ArcSight Manager as the destination, the certificate import window for
the ArcSight Manager is displayed. Select Import the certificate to the connector from
destination and click Next. (If you select Do not import the certificate to connector from
destination, the connector installation will end.) The certificate is imported and the Add
connector Summary window is displayed.

Complete Installation and Configuration

1 Review the Add Connector Summary and click Next. If the summary is incorrect, click
Previous to make changes.
2 The wizard now prompts you to choose whether you want to run the SmartConnector as a
stand-alone process or as a service. If you choose to run the connector as a stand-alone
process, select Leave as a standalone application, click Next, and continue with step 5.
3 If you chose to run the connector as a service, with Install as a service selected, click Next.
The wizard prompts you to define service parameters. Enter values for Service Internal Name
and Service Display Name and select Yes or No for Start the service automatically. The Install
Service Summary window is displayed when you click Next.
4 Click Next on the summary window.
5 To complete the installation, choose Exit and Click Next.
For instructions about upgrading the connector or modifying parameters, see the
SmartConnector User Guide.

OpenText SmartConnectors 8.4.3 Page 12 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Run the SmartConnector

Run the SmartConnector

SmartConnectors can be installed and run in stand-alone mode, on Windows platforms as a
Windows service, or on UNIX platforms as a UNIX daemon, depending upon the platform
supported. On Windows platforms, SmartConnectors also can be run using shortcuts and
optional Start menu entries.
If the connector is installed in stand-alone mode, it must be started manually and is not
automatically active when a host is restarted. If installed as a service or daemon, the connector
runs automatically when the host is restarted. For information about connectors running as
services or daemons, see the ArcSight SmartConnector User Guide.
To run all SmartConnectors installed in stand-alone mode on a particular host, open a
command window, go to $ARCSIGHT_HOME\current\bin and run: arcsight connectors
To view the SmartConnector log, read the file $ARCSIGHT_HOME\current\logs\agent.log; to
stop all SmartConnectors, enter Ctrl+C in the command window.

OpenText SmartConnectors 8.4.3 Page 13 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Device Event Mapping to ArcSight Fields

Device Event Mapping to ArcSight Fields

The following section lists the mappings of ArcSight data fields to the device's specific event
definitions. See the ArcSight Console User's Guide for more information about the ArcSight
data fields.

Microsoft DNS Trace Log Multiple Server File Mappings

to ArcSight ESM Fields
ArcSight ESM Field Device-Specific Field

Agent (Connector) Severity High = 2, 3, 5, 16, SERVFAIL, NXDOMAIN, REFUSED, BADVERS, BADSIG; Medium
= 1, 4, 6-10, 17-22, Error, Warning, FORMERR, NOTIMP, YXDOMAIN, YXRRSET,
NXRRSET, NOTAUTH, NOTZONE, BADKEY, BADTIME, BADMODE, BADNAME,
BADALG, BADTRUNC; Low = 0, 11-15, 23-65535, Information, Success,
NOERROR (based on Rcode values at:
http://www.networksorcery.com/enp/protocol/dns.htm#Rcode, Return code)

Application Protocol application protocol

Bytes In Size, incoming bytes

Destination Address destination address

Destination DNS Domain destination DNS domain

Destination Host Name destination host name

Destination NT Domain destination NT domain

Device Action Action taken by the device

Device Custom IPv6 Address 2 Source IPv6 address

Device Custom Number 2 TTL

Device Custom String 1 Thread Id

Device Custom String 2 OpCode

Device Custom String 3 Flags (character codes)

Device Custom String 4 Reason or error code

Device Direction Snd=Outbound, Rcv=Inbound

Device Event Category Context

Device Event Class ID Event Name (For events which have Device Event Category as "PACKET" the
DECID has been appended OPCODE with Rcode value.)

OpenText SmartConnectors 8.4.3 Page 14 of 16

Configuration Guide for Microsoft DNS Trace Log Multiple Server File SmartConnector
Device Event Mapping to ArcSight Fields

ArcSight ESM Field Device-Specific Field

Device Product 'DNS Trace Log'

Device Receipt Time DateTime

Device Severity One of (Information, Warning, Error, Success, NOERROR)

Device Vendor 'Microsoft'

File Name file name

File Path file path

Message Rcode description (based on Rcode descriptions at:

http://www.networksorcery.com/enp/protocol/dns.htm#Rcode, Return code

Name Rcode name (based on Rcode name at:

http://www.networksorcery.com/enp/protocol/dns.htm#Rcode, Return code

Request URL Question Name

Source Address Source network address

Source DNS Domain sourceDNSDomain

Source Host Name Source host name

Source Port Source port

Source Service Name sourceServiceName

Start Time startTime

Transport Protocol transport protocol (UDP)

please confirm that when customer used MySQL JDBC driver 5.1.38, they had issue to receivee
events. And the workaround is to apply older driver 5.0.8, after that connector is able to
received events.

OpenText SmartConnectors 8.4.3 Page 15 of 16

Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by
email. If an email client is configured on this computer, click the link above and an email
window opens with the following information in the subject line:
Feedback on Configuration Guide for Microsoft DNS Trace Log Multiple Server File
SmartConnector (SmartConnectors 8.4.3)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail
client, and send your feedback to [email protected].
We appreciate your feedback!

Send Documentation Feedback Page 16 of 16